let obj={id:1,name:'b',age:1}
//字符串拼接写法，会发生sql注入，不安全
let str=`update table set name=${obj.name},age=${obj.age} where id=${obj.id}`
pool.query(str,function(error,results,fields){
    if(error) throw error
    console.log(results);
})
//改用下面写法更安全
let obj2={id:1,name:'b',age:1}
let str2=`update table set name=?,age=? where id=?`
pool.query(str2,[obj.name,obj.age,obj.id],function(error,results,fields){
    if(error) throw error
    console.log(results);
})
//或者
let obj3={id:1,name:'b',age:1}
let str3=`update table set ? where id=?`
pool.query(str3,[obj,obj.id],function(error,results,fields){
    if(error) throw error
    console.log(results);
})

let obj4={name:'bo',age:1}
//新增语句类似的用法
let addstr=`insert into table set ?`
//原始拼接写法
let addstr0=`insert into table (name,age) values ("${obj4.name},${obj4.age})`